Cybersecurity & Data Privacy

Anthem Data Breach

Issue: Failure to safeguard confidential patient records

Lieff Cabraser partner Michael W. Sobol serves on the Plaintiffs’ Steering Committee in litigation against health insurance giant Anthem, Inc., for Anthem’s failure to implement and abide by standard security protocols, which resulted in a massive 2015 data breach involving identifiable personal information and health information belonging to over 80 million of Anthem’s members.

Because insurers like Anthem collect and store highly sensitive information as part of their business practices, they must ensure that such information is properly safeguarded and shielded from cybercriminals.

Anthem Privacy Breach

Anthem’s customer database was allegedly attacked by international hackers on December 10, 2014. Anthem says it discovered the breach on January 27, 2015, and reported it about a week later on February 4, 2015.

The scale of the breach was massive. The personal information of nearly 80 million may have been compromised. The theft includes names, birth dates, social security numbers, billing information, and highly confidential health information.

The litigation alleged that organizations that hold personally identifiable information, and in particular confidential personal health information, owe a duty to safeguard this information and protect such information from being compromised, stolen, or misused, and that Anthem was on notice about the weaknesses in its computer security for at least a year before the breach occurred.

Court Grants Final Approval to Settlement

On August 16, 2018, the United States District Court for the Northern District of California granted final approval to a class action settlement in the Anthem Data Breach Litigation, which required Anthem to undertake significant additional cybersecurity measures to better safeguard information going forward, and to pay $115 million into a settlement fund from which benefits to settlement class members will be paid. The benefits to class members under the settlement include a minimum of two years of free credit monitoring, or a cash payment of $50 in lieu of credit monitoring for class members who already have such protection, and compensation up to $10,000 per class member for documented out-of-pocket losses attributable to the data breach.

Following the dismissal of appeals to the District Court’s order approving the settlement, the settlement became effective on October 25, 2018. Claims are now being processed. The deadline to submit a claim for credit monitoring services or the cash payment was July 19, 2018. Those benefits will be distributed, by December 1, 2018, to class members who submitted timely and valid claim forms.

The deadline to claim compensation for out-of-pocket costs will be August 16, 2019. More information about the settlement, and instructions for filing a claim, are available on the settlement website, at www.databreach-settlement.com.